Facilitating Concurrency in Hybrid Programs Haithem Turki∗ Long Pham∗ Carnegie Mellon University Carnegie Mellon University [email protected] [email protected] December 7, 2019 Abstract Cyber-physical systems (CPSs) are inherently composite|by defini- tion, a CPS comprises at least two distinct components for discrete dy- namics and continuous dynamics. In the conventional framework of hy- brid programs (HPs) and differential dynamic logic (dL), it is necessary to provide a single, monolithic description of an entire cyber-physical system (CPS) before it is ready for formal analysis. This places on the shoulders of users the burden of synthesizing a single hybrid program describing the CPS under consideration even if the system consists of a number of interacting components. To address this issue, we propose a calculus for concurrent hybrid pro- grams in this paper. Our calculus incorporates the idea of message passing from the well-established process calculus Communicating Sequential Pro- cesses (CSP) into hybrid programs. As far as we know, this is the first calculus for concurrent HPs that can handle both of what we call blocking synchronization and non-blocking synchronization. In addition to the for- mal syntax of the calculus, we present its trace-based denotational seman- tics and pave the way for a full sequentialization algorithm by presenting key axioms for sequentialization. Finally, we describe a proof-of-work pro- totype for sequentialization of concurrent hybrid programs that has been built on top of KeYmaera X. 1 Introduction In our project, we wish to extend the existing hybrid programs in the standard differential dynamic logic (dL) to facilitate the modeling and design of a system that consists of multiple interacting and continuously evolving components. Within the current framework of dL, hybrid programs are written as a se- quential sequence of instructions modeling continuous and discrete dynamics. Consequently, in order to model and verify a cyber-physical system (CPS) con- sisting of multiple components that interact with one another, users are required ∗Equal contribution; course section: 15-824 1 to first integrate all of those interacting components into a single hybrid program before analyzing the resulting composite hybrid program. It is thus incumbent upon the users to take great care when modeling the continuous evolution of the system in a manner consistent with the vast multitude of concurrent phenomena that may be happening in reality at any given point in time. Furthermore, concurrency in hybrid programs makes it easier to model a CPS with complicated event-triggered/time-triggered control. At present, in dL and KeYmaera X, users need to specify a single hybrid program that en- compasses both the description of physics (i.e. ordinary differential equations; ODEs) and the description of control (i.e. tests and discrete assignments). As a result, this clutters the description of a hybrid program. In event-triggered control, for example, it is necessary to split the evolution domain of an ODE into two or more overlapping regions, resulting in two similar looking ODEs in one hybrid program. Additionally, the lack of ability to separate control from physics demands users to decide how best to combine the continuous and discrete dynamics so as to faithfully mirror the CPS in the users' minds. Therefore, motivated by (i) the need to model cyber-physical systems with interacting components and (ii) the desire to separate control from physics in a clean way, we propose incorporating message-passing concurrency into hybrid programs. Specifically, our contributions are 1. Adding channels, which allow hybrid programs to communicate with each other by passing messages, to the syntax; 2. Providing trace semantics to the proposed calculus; 3. Devising a sequentialization algorithm that, given multiple interacting hy- brid program, produces a hybrid program that describes the global be- haviour of the interaction; 4. Extending KeYmaera X to provide a proof-of-concept implementation sup- porting our augmented syntax. 2 Relevant literature Process algebras Process calculi (also known as process algebras) are a fam- ily of theoretical frameworks in which we can rigorously reason about concurrent programs. The first process calculus, called Communicating Sequential Pro- cesses (CSP), was created by Hoare[1978]. Before the creation of CSP, the only approach to concurrent programming was shared-memory concurrency, where we use low-level constructs (e.g. semaphores and locks) to synchronize programs. In shared-memory concurrency, programs \communicate by sharing memory." However, due to the use of low-level synchronization constructs, it is difficult to write correct concurrent programs in shared-memory concurrency, let alone reasoning about such concurrent programs. By contrast, in CSP, we use chan- nels to pass information across interacting programs/processes. Hence, in ef- fect, programs \share memory by communication" rather than \communicating 2 by sharing memory." This paradigm of concurrency is called message-passing concurrency and is more amenable to formal analysis than shared-memory con- currency. CSP has been influential in the design of many practical programming lan- guages, including Golang by Google, and other process algebras such as Calculus of Communicating Systems (CCS) by Milner[1980] and the π-calculus by Milner et al.[1992] (which is a significant extension of CCS where not only constants but also channels can be transmitted across channels). Incorporating concurrency into hybrid systems Various attempts have been made to directly introduce concurrency into the hybrid systems domain. M¨ulleret al.[2018] present a component-based approach that decomposes the overall system into multiple component models whose safety can then be proven individually. Under certain compatibility conditions on how components are connected, the safety of the overall composed system as a whole can then be guaranteed. In order to achieve these guarantees, components interact through interfaces phrased as contracts on the input assumptions and output guarantees that abstract the internal behavior of each individual component. Although this bears similarities to our proposed solution, these contracts abstract the hy- brid (continuous-time) behavior of one component to discrete-time observations available to other components. Platzer[2012] further suggests a dynamic logic (quantified differential dy- namic logic; QdL) for verifying distributed hybrid systems (modeled by quan- tified hybrid programs; QHP) and an associated proof calculus. The object of study in QdL is a system of (possibly an arbitrary/variable finite number of) QHPs that act on global variables (i.e. those variables that are visible to all participating hybrid programs) in an unrestricted manner (i.e. no synchroniza- tion mechanisms such as semaphores, locks, and message passing). Equipped with universal and existential quantification, QdL allows us to express proper- ties about the global behavior of such a system. Therefore, QdL and QHPs are suitable to the study of a cyber-physical system in which all participating hy- brid programs are fairly independent of one another and exhibit identical/highly similar behavior. By way of example, consider a system of cars equipped with identical engines. Each car can influence a global variable such as the distance between one car and another car. However, their interaction via global vari- ables is non-blocking in the sense that the behavior of one car never causes other cars to momentarily stop moving. On the other hand, our calculus is tailored to a system consisting of a fixed (and usually small) number of hybrid programs that can communicate with each other by not only acting on global variables but also passing messages around. To sum up, QdL is targeted at a large, homogeneous system of somewhat independent hybrid programs, while our calculus suits a small, heterogeneous system of hybrid programs that are interacting more closely with each other. 3 Incorporating hybrid systems into process calculi Instead of adding concurrency to the existing frameworks of hybrid systems, we can work in the reversed direction: build a framework for concurrent hybrid systems by start- ing with conventional process calculi (e.g. CSP, CCS, and the π-calculus) and introducing continuous dynamics to them. One example is hybrid CSP (HCSP) [Jifeng, 1994; Chaochen et al., 1996; Liu et al., 2010], which extends CSP with differential equations and interruptions among several other additional constructs. The semantics of HCSP hinges on the notion of duration that is formalized by the calculus of duration [Chaochen et al., 1991] (more precisely, the extended duration calculus). Additionally, to reason about programs written in HCSP, hybrid Hoare logic has been developed by combining (i) Hoare logic, which employs pre- and post-conditions to reason about imperative programs, and (ii) the calculus of duration, which can handle states that may change continuously over non-zero duration. On the level of syntax, HCSP is analogous to what we propose in this doc- ument: both of them use sequential composition and loops to create hybrid programs from simpler ones. However, these two calculi differ in the types of synchronization they support. Message passing in HCSP can only happen at discrete time in the same manner as in traditional CSP. By contrast, the calculus proposed in this document is capable of \continuously" synchronizing two ODEs that